Sibros Compliance - WP.29

UNECE WP.29 for R155 & R156

Cybersecurity in Depth and by Design

Schedule DemoDownload Whitepaper
UNECE Logo

WP.29 & Sibros

Sibros’ innovative and paradigm-shifting Deep Connected Platform addresses vulnerabilities associated with software update management systems and mitigates cyberattacks with a vertically-integrated and compromise-resistant data management and OTA update solution.

WP.29 Sibros

Cybersecurity Management Systems (CSMS)

Checkmark icon
Manage cybersecurity risks in both software update systems and vehicle design. 
Checkmark icon
Vehicle lifetime protection from R&D to post-production and decommissioning. 
Checkmark icon
Multi-level access and signature points to safeguard against manipulation and hacking. 

Software Update Management Systems (SUMS)

Checkmark icon
Full lifecycle documentation, update history, and secure data storage. 
Checkmark icon
Full-vehicle ECU and software version checks and image verification
Checkmark icon
Hazard Analysis and Risk Assessment (HARA) for safe and secure software update installation and integration.

Security at Every Stage

Paperwork icon

Information Security Best Practices

Full process documentation and security controlled data storage, employee documentation and security procedure training for quality assurance.

Security Icon

Safety Assurance Mechanisms

Vehicle “safe state” and health verification prior to update installation and rollback mechanism to preserve functionality in the event of an update failure.

Search icon

Target Identification Processes

Vehicle groupings based on static and dynamic characteristics, enabling targeted updates and software fixes.

Light bulb icon

Management Protocols

Comprehensive and adaptable cybersecurity management system for the full vehicle lifecycle to preemptively identify, categorize, and address cyber threats and attacks.

Paper search icon

Vehicle Type Approval

Deep data access and analysis enables exhaustive risk assessment of critical in-vehicle hardware and software.

Paperwork icon

Version Checks

Unique identifiers for hardware and software update packages to ensure update validity and integrity.

Bootloaders Icons

Compliant OTA Processes

Update creation, transfer, and receiving processes for full compliance with WP.29 SUMS requirements.  

Bootloaders updates

Uptane

Automotive specific open-source CSMS framework and multi-layered cryptographic algorithms to safeguard OTA updates.

FAQs

R155

Organizational Cybersecurity Management

What are the requirements for an organizational cybersecurity audit?

To meet organizational cybersecurity audit requirements, organizations must perform periodic audits, provide evidence and documentation of all procedures, processes, incidents, and remediations, and judge whether their processes achieve the objectives outlined in relevant national and international cybersecurity standards.

What is an organizational cybersecurity audit?

An organizational cybersecurity audit is an independent evaluation of an organization's cybersecurity processes, procedures, and policies to judge whether they achieve the objectives outlined in relevant international cybersecurity standards.

What are the requirements for a management system in the context of cybersecurity management?

To meet management system requirements, organizations must establish a quality cybersecurity management system in accordance with international standards, make configuration information available for maintaining vehicle cybersecurity, establish a cybersecurity management system for production processes, and manage tools that can influence the cybersecurity of a product or component.

What is a management system in the context of cybersecurity management?

A management system is a set of processes, procedures, and policies that an organization puts in place to manage and address cybersecurity risks and requirements.

What are the requirements for information sharing in the context of cybersecurity management?

Information sharing requirements include defining situations and circumstances under which cybersecurity information sharing is relevant, permitted, and prohibited, as well as specifying information types to be shared, establishing approval processes, and defining relevant parties.

What is information sharing in the context of cybersecurity management?

Information sharing means exchanging relevant information about cybersecurity risks, threats, hazards, and conflicting requirements within and outside of an organization.

What does it take to establish and maintain a strong cybersecurity culture?

Establishing and maintaining a strong cybersecurity culture involves ensuring that everyone with assigned cybersecurity roles has the necessary training, certifications, and awareness to fulfill their responsibilities. This includes providing risk management, functional safety, and privacy training and implementing continuous improvement processes for all cybersecurity activities.

What does it mean to have a strong cybersecurity culture?

A strong cybersecurity culture means that everyone in the organization shares the same beliefs, values, and behaviors that promote and support cybersecurity best practices.

What are the requirements for cybersecurity governance?

To meet cybersecurity governance requirements, organizations must define a cybersecurity policy that both acknowledges road vehicle cybersecurity risks and commits to managing those risks. They also need to assign responsibilities and organizational authority to achieve comprehensive cybersecurity, as well as provide resources for cybersecurity risk management, development, and incident management.

What is cybersecurity governance?

Cybersecurity governance is a set of rules and policies that organizations put in place to manage and address cybersecurity risks.

What do OEMs need to do to support cybersecurity engineering?

OEMs must establish rules and implement processes that adhere to national and international cybersecurity requirements, including assigning cybersecurity responsibilities, providing resources to address cybersecurity risks, and establishing a cybersecurity management system for relevant activities.

Project Dependent Cybersecurity Management

What are the conditions that must be met before a product can be released for post-development?

To release the product or component for post-development, the cybersecurity case must provide a valid and thorough argument, the cybersecurity assessment must confirm or agree with the cybersecurity case, and the post-development cybersecurity requirements must be accepted. All of these must be available before product release for post-development.

How is a cybersecurity assessment performed in project-dependent cybersecurity management?

A responsible party must be appointed to oversee the planning and performance of a cybersecurity assessment. The assessment must include the cybersecurity plan and include all products and components in the plan, processes and procedures utilized to address cybersecurity risks, a review of the appropriateness and effectiveness of the implemented cybersecurity controls and activities, and rationales that demonstrate compliance with the requirements outlined in International Standards, such as ISO 21434. The assessment report must also include a recommendation for acceptance, conditional acceptance, or rejection of the product or component's cybersecurity.

What is a cybersecurity case and why is it important?

A cybersecurity case is a document that provides evidence to ensure the cybersecurity of the product or component in question is per national and international standards. It is important to create a cybersecurity case to comply with cybersecurity requirements.

What is a reuse analysis in cybersecurity management?

A reuse analysis is an evaluation conducted when a product or component is developed and meets certain criteria such as planned modifications or reuse in a different operational environment.

Can cybersecurity activities be tailored?

Yes, cybersecurity activities can be tailored. The rationale behind why an activity is tailored must be sufficient to achieve relevant protection objectives as outlined in ISO 21434.

What are the requirements for managing a product's cybersecurity development activities?

The first requirement is to assign, communicate, and share cybersecurity activity responsibilities with relevant parties based on information security requirements and best practices. A cybersecurity plan must also be created for each product, which includes objectives, dependencies, responsible personnel, resources, starting and endpoints, intended outcome, and required activities for concept and product development phases per relevant requirements. Cybersecurity plans must be assigned to personnel with the necessary training, certifications, and awareness. They must be updated for any changes or refinements, and adhere to configuration and documentation management procedures.

Distributed Cybersecurity Activities

What is a cybersecurity interface agreement and why is it important?

A cybersecurity interface agreement specifies how cybersecurity activities will be distributed between the customer and supplier, including cybersecurity activity responsibilities, joint tailoring of activities (if applicable), information and documentation to be shared, distributed cybersecurity activity milestones, and a clear definition of the end of cybersecurity support for the product or component in question. It is important for both the customer and supplier to mutually agree upon the agreement prior to the start of distributed cybersecurity activities.

What should be included in a request for quotation for cybersecurity services?

When requesting a quotation from a potential supplier, a formal request to conform with national and international cybersecurity requirements, expectations of cybersecurity responsibilities, and any cybersecurity goals requirements relevant to the specified product or component should be included.

What are the requirements for supplier capability in distributed cybersecurity activities?

When evaluating potential suppliers, their capacity to develop and/or perform post-development activities in accordance with national and international cybersecurity engineering standards should be taken into consideration. Evidence of organizational cybersecurity preparedness and adequacy, continual maintenance and improvement of cybersecurity activities and incident responses, and a summary of previous cybersecurity assessment reports may be included.

Continual Cybersecurity Activities

What should be done in the event of unclear, unfeasible, or conflicting cybersecurity requirements or requirements from other disciplines?

The customer and supplier should communicate to determine the appropriate course of action to remedy the issue. Responsibilities for the customer and supplier should also be specified using a responsibility assignment matrix.

What processes and procedures are required for the maintenance and monitoring of cybersecurity activities?

Processes and procedures required for cybersecurity activity maintenance and monitoring include: comprehensive collection of cybersecurity information from internal and/or external sources, definition and maintenance of triggers for cybersecurity information triage, assessment of collected cybersecurity information to determine if any cybersecurity events have taken place, assessment of any cybersecurity events for product or component weaknesses, vulnerability analysis to identify potential attack paths and feasibility, and vulnerability management to treat cybersecurity risks in accordance with national and international standards.

Threat Analysis and Risk Assessment

What are examples of risks that might be identified during a TARA?

Examples include ransomware attacks, compromise of internal user credentials + MFA, and compromise of security framework (for example Rippling).

What is the risk treatment decision in TARA?

A risk treatment decision is the process of selecting one or more risk treatment options. These might include risk avoidance, risk reduction, division of risk through sharing, and risk retention.

What is risk value determination in TARA?

Risk value determination is the process of assigning a risk value between 1 and 5 to each threat scenario based on its impact and attack feasibility.

What is the attack feasibility rating in TARA?

Attack feasibility rating is the process of determining the feasibility of an attack path using various rating methods such as an attack potential-based approach, a common vulnerability scoring system (CVSS)-based approach, or an attack vector-based approach.

What is attack path analysis in TARA?

Attack path analysis is the process of analyzing potential threat scenarios for the identification of potential attack paths.

What is the impact rating in TARA?

Impact rating is the process of analyzing potential damage scenarios and assessing their impact on road users. This includes safety, financial, operational, and privacy categories.

What is threat scenario identification in TARA?

Threat scenario identification is the process of identifying potential threat scenarios, including the targeted product or component, which cybersecurity property is compromised, and the source or cause of compromise.

What is asset identification in TARA?

Asset identification is the process of identifying potential damage scenarios that could result from the compromise of the cybersecurity properties of a specific product or component.

What is TARA?

TARA stands for Threat Analysis and Risk Assessment. It is a method used to analyze potential threats to the cybersecurity properties of a specific product or component and assess the risk of each threat scenario.

R155 Description

R156

Concept Phase

What is the purpose of verifying cybersecurity management analysis results in the concept phase?

The purpose of verifying the results is to ensure completeness, correctness, and consistency with respect to cybersecurity goals and claims.

What is the cybersecurity concept in the concept phase of cybersecurity management?

A description of the technical and operational cybersecurity controls in place to achieve cybersecurity goals. This includes considerations for functional dependencies in the item and/or cybersecurity claims and defines the cybersecurity requirements of the item and the operational environment needed to achieve the cybersecurity goals.

What is the purpose of performing an analysis of cybersecurity goals in the concept phase?

The purpose of performing an analysis in the cybersecurity goals stage is to identify assets, threat scenarios, impact ratings, attack paths, attack feasibility ratings, risk values, and determine risk treatment based on analysis results for each threat scenario.

What are the item definition requirements in the concept phase?

Item definition requirements in the cybersecurity management concept phase include identifying item information such as item boundary, intended behavior, preliminary architecture, and operational environment.

What is the concept phase in relation to cybersecurity management?

The concept phase is the initial phase in cybersecurity management where the item to be developed is defined along with its relation to cybersecurity goals and concepts.

Product Development Phase

What is cybersecurity validation in product development?

Cybersecurity validation involves confirming and validating cybersecurity goals and claims and eliminating any unreasonable risks. It considers the configurations for series production and includes confirming the adequacy of cybersecurity goals for threat scenarios and corresponding risks, achieving item cybersecurity goals, and validating operational environment requirements.

What methods are used for the testing of integration and verification in the product development phase?

Methods used for the testing of integration and verification include functional testing, vulnerability scanning, fuzz testing, and penetration testing.

What is the purpose of integration and verification in product development as it relates to cybersecurity?

Integration and verification in product development involve verifying that all defined cybersecurity specifications are met in the implementation and integration of components, and performing testing to confirm, minimize, and manage unidentified weaknesses and vulnerabilities in the component. The purpose is to ensure that cybersecurity goals and claims are validated and any unreasonable risks are eliminated.

What is the role of design in product development as it relates to cybersecurity?

In product development, design involves defining cybersecurity specifications based on existing architectural design and assigning the defined cybersecurity requirements to components of the architectural design. It also includes applying established and trusted design and implementation principles to prevent or reduce cybersecurity vulnerabilities and verifying cybersecurity specifications to ensure completeness, correctness, and consistency with specifications from higher levels of architectural abstraction.

What is the product development phase as it relates to cybersecurity?

During the product development phase, the organization must have processes in place to test and assess whether a product or component identified in the concept phase is secure and resistant to cyber attacks. This includes identifying the item information such as its intended behavior, architecture, and operational environment, as well as performing an analysis to determine cybersecurity goals and risk treatment decisions.

Post-Development Phases

What should the procedure for the end of cybersecurity support for an item or component include in regard to customer communication?

The procedure for customer communication of the end of cybersecurity support for an item or component should include information on how and when the cybersecurity support will end, any necessary steps that the customer needs to take, and any recommendations for replacement or upgrading of the item or component.

What is the end of cybersecurity support and decommissioning phase?

The end of cybersecurity support and decommissioning phase is where methods and procedures are enacted to communicate the end of cybersecurity support and decommission relevant items and components.

What is the purpose of developing updates and relevant capabilities within the vehicle during the operations and maintenance phase?

The purpose of developing updates and relevant capabilities within the vehicle during the operations and maintenance phase is to ensure that the vehicle stays updated and secure in accordance with ISO 21434 and WP.29 R156.

What is the importance of a cybersecurity incident response plan?

A cybersecurity incident response plan is important for every cybersecurity incident as it provides remedial actions based on vulnerability management procedures, a communication plan involving all relevant internal and external parties, designated responsibilities for remedial actions, procedures for recording new and relevant information pertaining to the cybersecurity incident, a method or measure for determining progress, and cybersecurity incident response closure criteria.

What is included in the production control plan for post-development?

The production control plan for post-development includes the application sequence for post-development cybersecurity requirements, any equipment and production tools, production cybersecurity controls to prevent unauthorized access or alteration, and confirmation methods to ensure post-development cybersecurity requirements are met.

What is the production phase in relation to cybersecurity management?

The production phase is the phase in cybersecurity development where cybersecurity requirements are applied and new vulnerabilities are prevented during production.

R156 Description

Is Your Fleet Protected Against Cyberattacks? 

Contact us to schedule a demo and learn more.

Schedule Demo
OTA data logger

Concept Phase

The item must be defined along with its relation to cybersecurity goals and concepts. 

Item Definition

Identify item information.

<Including> 

  • Item boundary that distinguishes the item from its operational environment, including interfaces with other internal items and/or external systems
  • The intended behavior of the item during each lifecycle phase and the expected vehicle functionality realized by the item.
  • Description of the preliminary architecture, including component and connection identification and information on relevant cybersecurity standards. 

Describe the operational environment and its interactions as relevant to cybersecurity, including the identification and analysis of relevant threat scenarios and attack paths.

Cybersecurity Goals

Perform an analysis based on item definition. 

<Including> 

Identification Of:

  • Assets 
  • Threat scenarios
  • Impact ratings 
  • Attack paths
  • Attack feasibility rating
  • Risk values

Determine risk treatment based on analysis results for each threat scenario.

Specify cybersecurity goals for any risk treatment decision and threat scenario including risk reduction as a solution.

Specify corresponding cybersecurity claims for any risk treatment decision that includes:

  • Sharing the risk, or
  • Retaining the risk based on one or more assumptions

Perform verification to confirm the correctness, completeness, and consistency of: 

  • The analysis with respect to the item definition
  • Risk treatment decisions with respect to the analysis results.
  • Cybersecurity goals and claims with respect to risk treatment decisions.
  • All cybersecurity goals and claims of the item.

Perform verification to confirm the correctness, completeness, and consistency of: 

  • The analysis with respect to the item definition
  • Risk treatment decisions with respect to the analysis results.
  • Cybersecurity goals and claims with respect to risk treatment decisions.
  • All cybersecurity goals and claims of the item.
Cybersecurity Concept

Describe the technical and operational cybersecurity controls in place to  achieve cybersecurity goals. 

<Including>

Considerations for:

  • Functional dependencies in the item, and/or
  • Cybersecurity claims, including conditions for achieving cybersecurity goals and functions dedicated to addressing aspects of various threat scenarios

Define the cybersecurity requirements of the item and operational environment to achieve the cybersecurity goals. 

<Including>

  • Specific item features or capabilities 
  • Operational environment requirements to confirm the accomplishment of cybersecurity goals

Allocate cybersecurity requirements to items and applicable components.

Verify the results of all aspects of the cybersecurity concept to ensure completeness, correctness, and consistency with respect to cybersecurity goals and claims.

Product Development

Cybersecurity-related components and their respective cybersecurity specifications must be specified, defined, and evidence provided regarding specification effectiveness.

Design

Define cybersecurity specifications based on:

  • Any cybersecurity specifications from higher levels of architectural abstraction
  • Cybersecurity controls for implementation,
  • Existing architectural design

Assign the defined cybersecurity requirements to components of the architectural design.

Specify applicable procedures to ensure cybersecurity after component development. 

Consider the following when design, modeling, or programming notations are used for cybersecurity

specifications or implementation:

  • Clear and comprehensible definition of syntax and semantics.
  • Modularity, abstraction and encapsulation support
  • Support for constructs support
  • Support for secure design and implementation techniques

Any cybersecurity criteria for design, modeling, or programming that is not addressed by the language itself must be accounted for in the design, modeling and coding guidelines, or the development environment.

Apply established and trusted design and implementation principles to prevent or reduce cybersecurity vulnerabilities.

Analyze cybersecurity specification to identify and address weaknesses.

Verify cybersecurity specifications to ensure completeness, correctness, and consistency with specifications from higher levels of architectural abstraction.

Integration and Verification

Verify that all defined cybersecurity specifications are met in the implementation and integration of components.

Specify integration and verification activities based on: 

  • Cybersecurity specifications;
  • Applicable series production configurations 
  • Sufficient functionality support as specified in cybersecurity specifications
  • Complicity with applicable modeling, design, and coding guidelines

Evaluate verification testing activity coverage and sufficiency by using defined test coverage metrics.

Perform testing to confirm, minimize, and manage unidentified weaknesses and vulnerabilities in the component. 

<Methods Include>

  • Functional testing
  • Vulnerability scanning
  • Fuzz testing
  • Penetration testing

Provide rationale in the event that appropriate verification and integration is not performed.

Cybersecurity Validation 

Cybersecurity goals and claims must be confirmed and validated along with the elimination of any unreasonable risks. 

Cybersecurity Validation 

Confirm validation activities at the vehicle-level that consider the configurations for series production.

<Including>

  • Adequacy of cybersecurity goals for threat scenarios and corresponding risks 
  • Achievement of item cybersecurity goals 
  • Validity of cybersecurity claims
  • Applicable validation of operational environment requirements

Provide a rationale for the selected validation activities.

Post-Development Phases

Cybersecurity requirements must be applied and the introduction of new vulnerabilities prevented.

Production

Create a production control plan for post-development including the application of cybersecurity requirements.

Include the following in the production control plan:

  • Application sequence for post-development cybersecurity requirements
  • Any equipment and production tools
  • Production cybersecurity controls to prevent unauthorized access or alteration 
  • Confirmation methods to ensure post-development cybersecurity requirements are met.

Implement the production control plan.

Operations and Maintenance

Cybersecurity must be maintained after production, including the implementation of remedial activities for any and all incidents. 

Cybersecurity Incident Response

Create a cybersecurity incident response plan for every cybersecurity incident. 

<Including>

  • Remedial actions based on vulnerability management procedures 
  • A communication plan involving all relevant internal and external parties as appropriate.  
  • Designated responsibilities for remedial actions
  • Procedures for recording new and relevant information pertaining to the cybersecurity incident
  • A method or measure for determining progress.
  • Cybersecurity incident response closure criteria 
  • Any actions required for incident closure

Implement the cybersecurity incident response plan.

Updates

Develop updates and relevant capabilities within the vehicle in accordance with ISO 21434 and WP.29 R156.

End of Cybersecurity Support and Decommissioning

Methods and procedures for communicating the end of cybersecurity support and the decommissioning of relevant items and components.

Create a procedure for customer communication of the end of cybersecurity support for an item or component.

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
DenyAccept
Products
Solutions
Company
Ready to Get Started?
Reach out to schedule a demo and learn more.
Get Connected
Copyright @ 2023 Sibros Technologies Inc.
All Rights Reserved.